FreePBX | Register | Issues | Wiki | Portal | Support

Legacy FreePBX Distro with fail2ban 0.9.6


#1

Hi folks

Here follows an “unsupported configuration” topic from my side. :wink:

My legacy FreePBX 11 Distro is running quite well. Unfortunately the original fail2ban 0.8.8 service has stopped working. After some testing with yum I decided to update several modules to their latest avaiable version on epel:

yum update openssl
yum update openvpn
yum update portaudio
yum update htop
yum update jack-audio-connection-kit
yum update protobuf
yum update lua-dbi
yum update lua-expat
yum update lua-sec
yum update lua-socket
yum update flite
yum update sqlite2
yum update mosh

yum update fail2ban

My optional packages were:

yum update p7zip
yum update p7zip-plugins

To my big surprise fail2ban 0.9.6 was installed without any errors. Yes, the update has broken the FreePBX GUI “intrusion detection” (fail2ban) fronted but otherwise fail2ban 0.9.6 is active & running. Because no jails were active I enabled them manually. This has worked quite good. For some time it blocked several IP addresses but now the most jails seems to be again not really active.

My main problem lies in the confusion regarding the correct logpaths between the different version of Asterisk, FreePBX and fail2ban.

For example, - what is the correct location of the fail2ban logs? There seems to be two main possibilities: /var/log/asterisk/fail2ban and /var/log/fail2ban.log

(Keep in mind that I use the stock 0.9.6 fail2ban version with FreePBX 11).

Most likely I had to run some fail2ban regex commands?

My jail.local contains the following lines:

[ssh-iptables]

enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
logpath = /var/log/secure


[asterisk]

enabled  = true
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp"$
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp"$
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/full
maxretry = 5


[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban


[asterisk-challengesent]

enabled = true
filter = asterisk-challengesent
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban*


[apache-tcpwrapper]

enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, protocol=tcp, port=http]
logpath = /var/log/httpd/error_log


[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
logpath = /var/log/secure


[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"]
logpath  = /var/log/httpd/*access_log
bantime  = 172800
maxretry = 1


[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
bantime  = 2419200  ; 4 weeks
findtime = 86400   ; 1 day
maxretry = 20

The [asterisk-challengesent] jail is a supplement to [asterisk-iptables]. The filter file contains only one failregex:

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[^"]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="[\da-fx]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

This code is more effective then the original one in asterisk-iptables, it blocks the “anonymous ChallengeSent attacks” more reliable. (Source: https://www.ip-phone-forum.de/threads/neue-hackversuche-fail2ban-muss-angepasst-werden.284351/)


(Lorne Gaetz) #2

The asterisk console will tell you how the log files are configured:

freepbx*CLI> logger show channels
Logger queue limit: 1000

Channel                             Type     Formatter  Status    Configuration
-------                             ----     ---------  ------    -------------
/var/log/asterisk/fail2ban          File     default    Enabled    - NOTICE WARNING SECURITY
/var/log/asterisk/full              File     default    Enabled    - DEBUG NOTICE WARNING ERROR VERBOSE DTMF
                                    Console  default    Enabled    - DEBUG NOTICE WARNING ERROR VERBOSE DTMF

#3

Thanks lgaetz for your super fast replay. It seems that I have the same two logs active:

localhost*CLI> logger show channels
Channel                             Type     Status    Configuration
-------                             ----     ------    -------------
/var/log/asterisk/fail2ban          File     Enabled    - NOTICE WARNING SECURITY
                                    Console  Enabled    - DEBUG NOTICE WARNING ERRO              R VERBOSE
/var/log/asterisk/full              File     Enabled    - DEBUG NOTICE WARNING ERRO              R VERBOSE FAX

So regarding the asterisk-iptables filter I must use /var/log/asterisk/fail2ban. And regarding the recidive filter logpath /var/log/fail2ban.log* is used.

Is no further regex command needed? I thought I read that because of the fail2ban version difference (0.8.x to 0.9.6) certain “stuff” should be “re-registered”. Whatever, maybe I will remove & uninstall the legacy fail2ban frontend in FreePBX 11 and make a new install of fail2ban 0.9.6 from epel :wink:


(Lorne Gaetz) #4

Negative. The file /var/log/fail2ban.log is for logging fail2ban events, and is not scanned by fail2ban for malicious activity.


#5

Thanks again lgaetz for your fast replay. That’s exactly what I thought…

However, FreePBX 14 seems to come with exactly that fail2ban recidive filter logpath setting. (I get my config from the jail.local of the thread starter Basildane):

I thought if FreePBX 14 comes with this setting then it should be also the correct one for my fail2ban 0.9.6 at FreePBX 11. (Although the logging of fail2ban messages does not make much sense) :wink:

Update:

I can confirm now, /var/log/fail2ban.log* is definitely the correct setting for the recidive filter. With this config fail2ban will check his own logs regarding excessive attacks. So far I know recidive is the only fail2ban filter which works on that way.

Note, if the fail2ban.log files are missing on /var/log/ then it is necessary to enforce fail2ban to create it there with the following steps:

  1. Open the /etc/fail2ban/fail2ban.conf file
  2. Change the line: logtarget = SYSLOG to logtarget = /var/log/fail2ban.log
  3. restart fail2ban service or sudo service fail2ban restart

After this the recidive filter is working perfectly. :grinning:


#6

Here follows a further addition regarding some other important new failregex. After implementing the above updated filter I noticed still some hacking attempts in my logs. There were several not authenticated attempts to make a SIP call:

[2019-04-04 00:47:20] NOTICE[1672][C-00000015] chan_sip.c: Failed to authenticate device <sip:400@178.83.160.214>;tag=1938629210
[2019-04-04 00:47:20] SECURITY[1655] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1554331640-715482",Severity="Error",Service="SIP",EventVersion="2",AccountID="6000441613941753",SessionID="0x21b8848",LocalAddress="IPV4/UDP/192.168.1.4/5060",RemoteAddress="IPV4/UDP/185.53.88.168/58246",Challenge="350152af",ReceivedChallenge="350152af",ReceivedHash="f801ae8143005e921301d9901c3afd45

Similar attacks of this type were first reported in 2013 / 2014. (https://issues.freepbx.org/browse/FREEPBX-7573). Unfortunately the proposed changes seems to be not correctly implemented in later fail2ban versions. :roll_eyes: Because of this I have created an other fail2ban filter file:

# Fail2Ban filter for asterisk "unknown attacker IP"
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
# before = common.conf

[Definition]

# _daemon = asterisk

# __pid_re = (?:\[\d+\])

# iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
# log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]$

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\)

        NOTICE.* .*: Host <HOST> denied access to register peer '.*'
        NOTICE.* .*: Host <HOST> did not provide proper plaintext password for '.*'
        NOTICE.* .*: Registration of '.*' rejected: '.*' from: '<HOST>'
        NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
        NOTICE.* .*: Host <HOST> denied access to register peer '.*'
        SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"

		VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' \(language '.*'\)

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black / leonidf / modified by lorn10
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

The additional code in jail.local is:

[asterisk-unknownattackerIP]

enabled = true
filter = asterisk-unknownattackerIP
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban*
maxretry = 1

For me, this worked PERFECTLY. My FreePBX logs looks now near PERFECTLY. :grinning: Well, in other situations these rules may be too strong, - whatever…